Zero Inbound Access

Zero Inbound Access clusters build on the security available in Private Network clusters, by allowing clusters to be created without publicly routable IPs. This is distinct from Private Network Clusters, which have a gateway node with a publicly routable IP.

This configuration is a security best practice and a security requirement for many organizations as it reduces the potential attack vectors to compromise servers running back end services.

Features of Zero Inbound Access clusters include:

• Instances in Zero Inbound Access cluster have no publicly routable IPs.
• All the limitations and features of Private Network clusters.
• (For a more complete list, please refer to Security Features Overview)

Alike Private Network Clusters, all inter-node communication within data-layer clusters (Cassandra, Kafka etc) occurs within a private network.

Instaclustr will automatically provision a gateway server which uses reverse SSH to enable cluster management only accessible to Instaclustr technical operation team.  The gateway is firewalled to only be accessible only from Instaclustr’s management system and has no publicly routable IP.

Zero Inbound Access is currently only available as an option on newly provisioned clusters for clusters on AWS, with support for other cloud providers coming soon.

Limitations

• Only available for newly created clusters
• Only available in RIYOA and On-Premises accounts

How to Provision

Zero Inbound Access clusters uses gateways which are shared across regions to save infrastructure costs. Before provisioning a Zero Inbound Access cluster you must first provision a ZIA gateway in that region.

To create using API or Terraform see the relevant documentation. For provisioning via Console follow these steps:

How to Provision a ZIA Gateway via Console

1. First go to Cluster Resources (under the cog icon)

2. Then select the ZIA Gateway tab

3. Now enter the desired name for your gateway and select the desired region. Finally press “Add Gateway”.

4. The gateway will appear in the bottom table, in the “GENESIS” status.

5. Wait for the status to reach “RUNNING”, then your gateway is ready to use!

How to Provision a Zero Inbound Access Cluster via Console

1. On the Create Cluster Page, enable “Zero Inbound Access”. In the below example, we provision an Apache Cassandra cluster, but all Instaclustr applications support Zero Inbound Access.

2. Proceed to the “Data Centre Options” and under “Zero Inbound Access Options” select your desired gateway.

3. Now proceed to the Confirmation page, and the Zero Inbound Access option is shown as an enterprise feature, and the ID of the selected ZIA Gateway is confirmed. Finally select Create Cluster.